Page 22 - 11Cyber
P. 22

words (6). For example, Google for 'hello kitty'
         (Continued from page 21)
                                                              site:https://md5hashonline.com/most-common-
         Step 5 – The server checks this hash against the     passwords/ On page 310 it is word number 30,972 )
         one stored for the user in the database.             Bigger is Better

         Step 6 – If the two hashes match exactly, the user   And the longer the password lengths get, the huger
         is granted access. The Dictionary for Uncracking     (more bigger?) that file grows. So, for example, for
         the Egg                                              passwords with just 9 lower case letters (abcdefghi),

         So, if no one can Unscramble the password, how       the number of passwords that could be formed is
         are the criminals actually getting into an account   5,646,683,826,134. But, of course, all those are not
         after getting that Data Breach file from the Dark    words, and as the number of characters (or numbers
         Web? The answer is they probably don't need to       or symbols) increases, so does the size of the data-
         Unscramble it. They have a Dictionary. Or several. I   base they have to hash to complete their dictionary.
         am referring to what is properly called a Hash       So even if they had a database with all the possible
                                                              combinations of 9 lower case and 3 uppercase letters,
         Table Dictionary (also known as a Rainbow Table.     they would have almost 4 x 1020 passwords. And with
         (4) I will simply call it - a dictionary.            no symbols or numbers, it is not even close to being

                           What is a dictionary, and how      complete. And they would need to buy a lot of big
                           does it help? Remember in 'The     drives and have lots of supercomputers working
                           Hash' that the data for account 1   around the clock.
                           and account 4 had an identical     So, what do they do? They have reasonably sized (but
                           Password and Hash? THAT is         huge) Hash Table Dictionaries, which they can afford
         the weakness of a hash code. Anyone can run the      to purchase, and have enough disk space to store, to
         hash function on as many words as they want and      get maybe just those top 5 (or 14 or 600) million com-
         save the hash values in a database (this becomes     mon, repeated, very awful, known passwords.
         their Dictionary). SO, they can save the hash for all
         the passwords like '12345' and 'admin' and any oth-  But wait…. There's more. We have only done that for
         er word in a list of well-known, commonly re-used,   the MD5 function. They still need the time and disk
         and very bad passwords.                              space for the SHA-1, SHA-256, NTLM, and LANMAN.
                                                              And what about words written in other languages?
         For example, the MD5 hash for helloworld is          (Holamundo is helloworld in Spanish!) More possibili-
         fc5e038d38a57032085441e7fe7010b0 And, that           ties. Without those, all of the data that was breached is
         PW is now in their' dictionary.' When they look for   of much less use to them. Unless they want to test
         'fc5e….' in the stolen database, they find it, and it   words one hash, one at a time, that is called Brute
         belongs to both user 1 and user 4. Both must have    Force. For the next 10 thousand years. (See footnote
         a password of helloworld. Almost zero seconds to     (7) about Hashcat). It is possible, but…..?)
         look through the data and find all the fools who
         have used helloworld as their password. And they     To Improve the Hash, Add Salt
         are not even breaking a sweat yet.                   So, you see the problem here.

         So, if you are a bad guy, what do you do? You        Einstein told us. Do the same
         would create huge lists using all the known pass-    thing, get the same thing. It IS re-
         words and their hash. Those lists of words and       peatable. Those repeated pass-
         phrases contain things that have been used most      words all had the same repeated
         often that will give them the biggest bang for their   hash. How can that be fixed? It is
         buck. And, with the hash for each of those pass-     neither impossible nor difficult. It
         words, all you need to do is look for them in the sto-  can and should be fixed from two ends of the system.
         len database. Just one problem, and it is a big prob-  If the hash is bad, we need to add Salt. But who
         lem; there are a lot of words you must hash. That    should add the salt, You, or the Cook? It turns out the
         creates huge files. (You can check any password,     Cooks ought to season the hash, but in case they did
         plus variations, in a list of 14,344,391 known pass-                                        (Continued on page 23)


         Cyber Awareness Bulletin                                                            22                                                                   October 2021
   17   18   19   20   21   22   23   24   25   26   27